Proper use of keyid in allow-transfer

MURTARI, JOHN jm5903 at
Thu Dec 7 12:41:24 UTC 2017

                Came across usage of a keyid as an address list in a allow-transfer option on a older server site.  Didn't really know that was legal. It  seemed an easier way to allow zone transfers without constantly updating a list of IP addresses on a master server.  The only trouble - it didn't seem to actually work?

                We've been trying it in a older lab server  running a Solaris 9.9.9-S4 version of bind.   The master has:

options {
       allow-transfer {key bongo;};

key "bongo" {

        algorithm hmac-md5;

        secret "BippityBop";


                The slave server defines the same key and is located at  When we use the above on the master, transfers for any zone work fine.  If we remove the IP address and try a transfer we get 'denied'.  What are we missing?  Thought we might have to associate the keyid with zones on the slave, but couldn't find any options for that??? We don't use TSIG on these servers.

                Thanks for the help!
John Murtari - jm5903 at<mailto:jm5903 at>
office: 315-944-0998
cell: 315-430-2702

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list